Set up Firewall to allow access to printer but not internet

I have a d-link 655 router with a printer on one of the ports. I would like to allow a program to access the printer but not the internet. Would appreciate advice on how to do it in comodo. Thanks

Restrict the apps access to ports 135-139.

Where would that be done? I am new to this stuff and don’t know how to do it.Would appreciate directions or link to appropriate procedure. Thanks

Sorry. I was in a bit of a rush this morning and I don’t have access to a CIS installed PC at the moment.

I’ll post instructions this evening (my time - in roughly 9 hours) if that’s OK. In the meantime, can you please post the name of the executable that you want to prohibit from accessing the internet (just so I can use the same terms you’ll need to use to set the rules up).

As an overview, we are going to be creating an application rule in the firewall that blocks internet port traffic (ports 80, 443 and 8080) for the application in question. It will still allow traffic from that application over other ports though. The three ports named above are the three primary ports used for web traffic, but we could also include ports 21, 22, 25, 100 and a handful of others.

Mea culpa,
Ewen :slight_smile:

Hi Ewen, no problem, thanks for the help. The particular program is “photoshop.exe” and i assume that the procedure would work for just about any other app?

Sorry for the delay in getting back to you.

There are (at least) two ways to achieve this - the simplest method is to block the internet ports to the app in question. To be thorough, we should define two rules - one that defines what is blocked and the other defining what is allowed (the “Allow” rule relies on you having already set up a ZONE for your local LAN).

APPLICATION SPECIFIC INTERNET BLOCKING RULE

  1. Open CIS and click FIREWALL → ADVANCED → NETWORK SECURITY POLICY
  2. Click ADD
  3. Click SELECT and navigate to and select the application you want to restrict
  4. Ensure USE A CUSTOM POLICY is selected and click ADD
  5. Setup a rule with the following parameters;
    Action : BLOCK
    Protocol : TCP or UDP
    Direction : OUT
    Description : Give your rule a meaningful name
    Source address : ANY (This is your PC)
    Destination address : ANY
    Source ports : ANY
    Destination ports : A SET OF PORTS and then select HTTP PORTS in the droplist
  6. Click APPLY
  7. Click APPLY
  8. Click OK

This rule blocks the applications outbound access to all servers when it is sending to a port that is included in the port set named “HTTP ports”.

APPLICATION SPECIFIC LAN “ALLOW” RULE

  1. Open CIS and click FIREWALL → ADVANCED → NETWORK SECURITY POLICY
  2. Click ADD
  3. Click SELECT and navigate to and select the application you want to restrict
  4. Ensure USE A CUSTOM POLICY is selected and click ADD
  5. Setup a rule with the following parameters;
    Action : ALLOW
    Protocol : TCP or UDP
    Direction : IN OR OUT
    Description : Give your rule a meaningful name
    Source address : ZONE (Select your local ZONE from the droplist)
    Destination address : ZONE (Select your local ZONE from the droplist)
    Source ports : A SET OF PORTS and select HTTP PORTS from the droplist
    Select EXCLUDE (This option is greyed out until you select a source port other than ANY)
    Destination ports : A SET OF PORTS and select HTTP PORTS from the droplist
    Select EXCLUDE (This option is greyed out until you select a destination port other than ANY)
  6. Click APPLY
  7. Click APPLY
  8. Click OK

This rule, providing you have set up a ZONE, allows the applications outbound access to all addresses and all ports on your local LAN with the exception of the HTTP ports.

In hindsight, we may only need the second rule, as this one should allow all local LAN traffic, but should block attempted sends to the HTTP ports of any server.

There is a lot to be said for using the EXCLUDE option in application rules, as it can (in certain circumstances - i.e. where you want to create a rule but there is ONE exception to the rule) mean you only need one rule instead of two, which means faster parsing and processing.

I would set up the second rule first and check if the app in question can “phone home”. If it can’t, we achieved what we set out to do and we should stop. If, on the other hand, it can still phone home, set up the first rule, which should explicitly block the apps access to the HTTP ports.

If you don’t have a ZONE set up for your local LAN, try rule 1 and see if the app can phone home.

Let us know how this works out.

Hope this helps,
Ewen :slight_smile:

Ewen, apparently I’ve wasted your time. After setting it up as procedure 2 I began playing around and testing. I found that Photoshop.exe doesn’t call home, only Adobe updater and it is already blocked. I also tried to access the printer with photoshop.exe blocked(Predefined) and it communicates with the printer fine. So I guess that when comodo blocks an app it doesn’t block access to the lan but to the internet?

You’re not wasting time if you’re learning. :wink: